New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

check our GH actions with a static analysis tool #910

Open

lexming opened this issue Dec 13, 2024 · 1 comment

Contributor

lexming commented Dec 13, 2024

GH actions can be dangerous if they are missconfigured. Recently Ultralytics was exploited through a PR abusing its GH actions. See https://blog.yossarian.net/2024/12/06/zizmor-ultralytics-injection

Using a static analysis tool to check our actions for such weaknesses will reduce such risks.

The main actor in this field seems to be zizmor.

Member

ocaisa commented Dec 13, 2024 •

edited

Loading

In EESSI we use https://github.com/ossf/scorecard (not that I am any kind of expert but it did help expose some security issues we had in our CI)

https://scorecard.dev/viewer/?uri=github.com/EESSI/software-layer

branfosj mentioned this issue

do not persist permissions easybuilders/easybuild-containers#36

Open

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment